Defending Against Mac Webcam Hijacks

Patrick Wardle, director of research for the security company Synack, often ponders new ways to hack Apple Macs. His latest research project focuses on Mac's webcam, highlighting how malware could secretly record a webcam session.

Wardle's research, which he presented at the VirusBulletin conference in Denver on Oct. 6, doesn't focus on how to exploit vulnerabilities in macOS, Apple's latest desktop operating system. Instead, it demonstrates how to take advantage of how Apple allows a webcam to be accessed by more than one program at a time, a feature that could be helpful to users, but also potentially pose a security risk.

"It would be naïve to think that other people haven't thought about this who are designing Mac malware."

"That was something I was concerned about," Wardle says. "It would be naïve to think that other people haven't thought about this who are designing Mac malware, and if they haven't, I would say they're not doing their jobs."

Targeted Recording

Increasingly, Mac malware programs try to access a webcam, but there's a dead giveaway when it's turned on: A webcam's green LED light comes on. Apple has strong security protections around the webcam that make it very difficult, but not impossible, for malware to turn the light off, Wardle says.

"Without physical access, you are probably not going to be able to manipulate that in a way that would allow you to record without the light going on," Wardle says.

But he came up with a better idea. Rather than randomly turn the webcam on and only see or record someone sitting silently at their computer, why not write malware that begins recording video sessions when, for example, a FaceTime or Skype call starts?

"These are the things malware or a nation-state or cybercriminal would want to record anyways," Wardle says. "If you record my entire day, I'm just sitting at my desk picking my nose. When I hop on that webcam session and talk about sensitive business details ... those are the interesting snippets."

The webcam's green light comes on when a FaceTime session is started. But there's no additional notification or warning if a second application simultaneously taps into the video stream using AV Foundation, Apple's framework for accessing the webcam. There are advantages to this arrangement for users. During a FaceTime call, a user can also snap a photo using Apple's mugshot program, Photo Booth.

Wardle says he doesn't want to overhype his findings, because the attack scenario is based on several assumptions. For example, malware has to get on a system, and Apple has several security features. such as XProtect, an anti-malware tool, and Gatekeeper, which can restrict what applications can be installed based on digital signatures.

"Really, it's a neat capability that existing malware could very trivially add that would allow them to record the local user while they're using the webcam without detection," he says. "As a Mac user, that's something I would want to be aware of if there was some undetected malware on my system."

OverSight, A Security Tool

Wardle had some informal chats with Apple's security team about the issue. They agreed that allowing multiple programs to access a webcam is legitimate OS functionality. But Wardle thinks it might be better to notify users when such behavior happens and enable them to make a decision on whether to allow it. At least three types of Mac malware are out there that try to access the webcam: Crisis, Eleanor and Mokes.

Apple locks down other critical components of its operating system. Take Keychain, macOS's built-in password manager. Access to Keychain requires a system password, so it would be evident to users immediately if malware tried to access it.

In the meantime, Wardle built a free tool that alerts users. The tool, called OverSight, detects any new processes trying to gain access. Users can choose to allow or block, giving more insight into what's happening on their Mac. It's possible for malware writers to change the name of a malicious process, to, for example, FaceTime. But if users are suspicious of such a ruse, OverSight can show the file path and process ID, which can be cross referenced to see if it is legitimate.

About the Author

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.